Pricing  Get Quote
 
 

Improve password hygiene with strong

password policy enforcement

Start a free trial

Why your business is at risk without a password policy enforcement tool

Passwords used by employees can either make or break data security in an organization. It's not surprising, however, to know that employees don't often follow good password hygiene. From setting weak and generic passwords to lax password policy rules in native tools like Windows Active Directory Group Policies, several factors pose a serious threat to password security and put an organization's data at risk.

Complexity loopholes in Active Directory password policies

What are the Active Directory password policy requirements?

  • Minimum password length
  • Minimum password age
  • Maximum password age
  • Password complexity requirements
  • Password history enforcement
  • Reversible encryption for storing passwords

Why aren't Active Directory password policies enough?

  • A one-size-fits-all password policy does not exist. They should be customized to suit different hierarchies, geographical regions, and departments in a company. But Active Directory password policies do not have this capability since they are not applicable to OUs.
  • Dictionary words, patterns, and palindromes cannot be restricted.
  • Consecutive repetition of the same character cannot be prevented.
  • The password policy cannot be enforced during password reset by admins in the Active Directory Users and Computers (ADUC) console.
  • The policy settings cannot mandate the number of characters from a certain character type.
  • Because of their limited password and account lockout settings, they cannot meet password compliance regulations such as the NIST, PCI DSS, HIPAA, and the GDPR password standards.
  • They cannot prevent sophisticated, modern password attacks like dictionary and brute-force attacks.
  • On the whole, it is challenging for admins to keep tracking the assigned password policies in a particular domain.

Enforce a robust password policy and restrict common words from user passwords

Download now

Effective password policy enforcement with ADSelfService Plus

ManageEngine ADSelfService Plus' Password Policy Enforcer overcomes the drawbacks of Active Directory's built-in password policies and enables you to enforce a custom, advanced password policy that seamlessly integrates with the above-mentioned Active Directory password policies. It fortifies your Active Directory passwords to ensure that your organizational resources are protected from potential cyberattacks.

How to fortify user passwords with ADSelfService Plus' Password Policy Enforcer

The Password Policy Enforcer in ADSelfService Plus can be set to enforce the following requirements:

  • Restrict characters
  • Restrict repetition
  • Restrict pattern
  • Restrict
    length
  • Restrict compromised
    passwords

Restrict characters: These password policy settings include mandating the number of special, numeric, and Unicode characters. You can also set the type of character that the password should start with.

 
 

Configure the inclusion of alpha-numeric characters in passwords.

Restrict characters

Restrict repetition: These settings enable you to enforce password history and restrict the use of consecutive characters from usernames or previous passwords. Consecutive repetition of the same character can also be restricted.

 
 

Restrict users from reusing their previous passwords during password creation.

Restrict repetition

Restrict pattern: The settings under this tab restrict custom dictionary words, patterns, and palindromes that might be commonly used.

 
 

Restrict users from using common patterns, dictionary words, and palindromes in their passwords.

Restrict pattern

Restrict length: These rules let you set both a minimum and maximum number of characters for the password.

 
 

Configure the minimum and maximum password length to satisfy the NIST password guidelines.

Restrict length

Restrict compromised passwords: ADSelfService Plus lets you integrate with the Have I been Pwned service which bans the use of passwords involved in previous hacks and prevents credential stuffing attacks.

Restrict compromised passwords

  1.  
  2.  
  3.  
  4.  
  5.  

Benefits of using password policy enforcement with ADSelfService Plus

  •  

    Help users choose strong passwords

    Display password policy requirements on the reset and change password pages so that users are prompted to set strong passwords. Allow users to see the strength of the password live on the password change or reset screen by enabling the Password Strength Analyzer.

  •  

    Password reports

    Receive out-of-the-box reports that give IT admins a holistic view of users' password expiration and account lockout status, enrollment data, and self-service actions in all the connected domains.

  •  

    Encourage passphrases

    Enable users to create long and secure passphrases by overriding the password policy rules if the password is beyond a specific length.

  •  

    Enforce policies universally

    Enforce your policy for password changes from the Ctrl+Alt+Del screen and during ADUC password resets.

  •  

    Implement granular password policies

    Set password policies for OUs and groups separate from the one set for the domain to match the level of sensitive resources specific users need access to.

  •  

    Meet regulatory compliance standards

    Create password policies that comply with the NIST, HIPAA, CJIS, and the GDPR.

Enforce a strong password policy and stay immune to password attacks

Schedule a demo

FAQs

  • 1. What is a password policy?

    A password policy is a set of rules created and enforced to strengthen user passwords. A password that satisfies and enforces all the rules of a password policy helps better secure the underlying data against potential password attacks. A password policy includes rules that specify minimum password length, maximum password age, password history requirements, and password complexity details.

  • 2. What is a password attack, and what are the different types of password attacks?

    A password attack refers to a threat actor trying to authenticate themselves maliciously into your password-protected account using a compromised password. The different types of password attacks are dictionary attack, brute-force attack, credential stuffing, phishing, man-in-the-middle attack, password spraying, and keylogger attack.

  • 3. What is a dictionary attack?

    A dictionary attack involves a threat actor trying to hack into a user account by repeatedly trying various combinations of dictionary words. Often, the words used are not necessarily dictionary words, but predictable password choices like names, birth places, or pet's names, which users normally tend to use in their passwords. For this reason, users are advised to avoid such words while setting passwords.

  • 4. What is meant by Active Directory password complexity?

    Active Directory password complexity requirements are settings that mandate that users include certain special characters, like uppercase, lowercase, or non-alphanumeric characters, and to avoid using their usernames in their passwords. Users have chosen strong passwords when the complexity requirements of the enforced domain password policy are met.

  • 5. Are passwords sufficient to protect data and secure identities?

    Securing a user account or data endpoint with only a password makes it most vulnerable to the password attacks of today. Deploying multi-factor authentication mechanisms are a good practice to render compromised credentials useless to hackers. Strong authentication mechanisms like biometrics have made securing passwordless user authentication possible.

  • 6. What is the difference between the Active Directory domain password policy and a fine-grained password policy (FGPP)?

    The default Active Directory domain password policy defines configurable rules for user account password creation. This password policy is only applicable to the entire domain to which it is linked, and cannot be customized for a specific set of users, groups, or OUs. Active Directory's FGPP, on the other hand, overcomes this drawback and allows password policies to be tailored to different users and groups within the domain.

ADSelfService Plus also supports

  •  

    Enterprise single sign-on

    Allow users to access all enterprise applications with a single, secure authentication flow.

    Learn more  
  •  

    Remote work enablement

    Enhance remote work with cached credential updates, secure logins, and mobile password management.

    Learn more  
  •  

    Zero Trust

    Create a Zero Trust environment with advanced identity verification techniques and render your networks impenetrable to threats.

    Learn more  
  •  

    Enterprise self-service

    Delegate profile updates and group subscriptions to end users and monitor these self-service actions with approval workflows.

    Learn more  
  •  

    Powerful integrations

    Establish an efficient and secure IT environment through integration with SIEM, ITSM, and IAM tools.

    Learn more  
  •  

    Password management and security

    Simplify password management with self-service password resets and account unlocks, strong password policies, and password expiry notifications.

    Learn more  

ADSelfService Plus trusted by